Updating of security procedures definition
The computer security controls outlined in the Section 9 of Pub.
1075 direct agencies to several key areas which focus on operational security.
Performing a risk assessment of the system(s) that receive, process, store or transmit FTI on a periodic basis will improve the agency's ability understand and manage the risk faced to the confidentiality, integrity and availability of these IT assets and the FTI that require protection.
It is important to perform risk assessments periodically due to changes in computer equipment and software, organizational policies and updated security requirements in Pub. Existing resources such as legislative, internal, and state-level audits that the agency is already subject to can be leveraged when conducting risk assessments to ensure efficiency and maximum use of agency resources.
Examples of vulnerability scanning products include Tenable Network Security Nessus, Application Security Inc.
The agency shall update and submit the SSR annually to encompass any changes that impact the protection of FTI.
Although the frequency of conducting vulnerability scans and the particular vulnerability scanning tool utilized is determined by agency policy, the IRS requires that this activity be conducted at least quarterly or when significant new vulnerabilities affecting the system are identified and reported.
Examples of host configuration compliance tools include Threat Guard Secutor Prime and Mc Afee Policy Auditor.
It also advises the IRS of future actions that will affect the agency's safeguard procedures, summarizes the agency's current efforts to ensure the confidentiality of FTI, and finally certifies that the agency is protecting FTI pursuant to IRC Section 6103(p)(4) and the agency's own security requirements.
IRS also requires internal inspections to be conducted by the recipient agency.